Hacking the Aether: How Data Crosses the Air-Gap

It is incredibly interesting how many parts of a computer system are capable of leaking data in ways that is hard to imagine. Part of securing highly sensitive locations involves securing the computers and networks used in those facilities in order to prevent this. These IT security policies and practices have been evolving and tightening through the years, as malicious actors increasingly target vital infrastructure.

Sometimes, when implementing strong security measures on a vital computer system, a technique called air-gapping is used. Air-gapping is a measure or set of measures to ensure a secure computer is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network. Sometimes it’s just ensuring the computer is off the Internet. But it may mean completely isolating for the computer: removing WiFi cards, cameras, microphones, speakers, CD-ROM drives, USB ports, or whatever can be used to exchange data. In this article I will dive into air-gapped computers, air-gap covert channels, and how attackers might be able to exfiltrate information from such isolated systems.

Many techniques presented here (but not all) would require a previous breach to have already compromised the isolated machine (usually installing some kind of malware in the process). This may have happened via a social engineering attack, an inside job, an undercover special operation or whatever James Bond scenario you have in mind, it’s not important for the current article scope. Although the malware delivery mechanism makes for an interesting problem and discussion, the scope of this article is on how to exfiltrate data after the breach (if a breach was, in fact, needed).

What is an Air-Gap Covert Channel?

An air-gap covert channel could be defined as any unintentional channel that is used to transmit and/or receive data between systems that are physically isolated and, by policy, not authorized to communicate with one another, in which air-gapping measures were taken at the emitter, receiver or both. Unintentional means that the channel was not originally designed to be used as a data channel, for example, the modem LEDs. Although there might me some additional software (malware) needed at the target system to make a particular covert channel viable, there is no additional hardware installed on such systems. In some cases there might be, however, specific hardware at the attacker’s end.

That being said, there are also ways so remotely monitor a system without any previous intervention. It has been shown in the past that it is possible to monitor the radiation emitted by a CRT monitor and even LCDs. Some of you might have heard of this form of computer surveillance, usually referred a Van Eck phreaking or as TEMPEST (although TEMPEST is a lot broader than just this form of surveillance). It’s possible to listen to computer keyboards, each key emits a slightly different noise when pressed so it’s possible to log key strokes without actually requiring logging software. Even the high frequency noise emitted by a CPU can include information about the instructions being executed.

There is a wide range of air-gap covert channels and one way to naturally organize them is by the physical channel that they use to achieve their goals. Currently researchers have been able to implement such channels using different mediums, such as:

Physical Media

Acoustic

Light

Seismic

Magnetic

Thermal

Electromagnetic

For the sake of the explanation, I will refer to using a channel as passive when there is no modification on the emitter/target side whatsoever and the receiver/attacker is essentially doing remote sniffing of a resource. In contrast, I will use the term active when there is the need for some kind of software to be running at the emitter/receiver, usually via a previous attack.

Physical Media

Spreading malware via physical media is old news. In a not so distant past, floppy disks were pretty much how viruses spread, when computer users exchanged pirated games important information. The CD-ROM slowed down and almost killed that phenomenon but the USB drives brought it back again.

Stuxnet, Fanny and Gauss, are a family of computer worms that bridge the air-gap using USB drives as a carrier to send/receive requests to and from the operator via a hidden storage area created in raw FAT structure. Whenever the USB drive is connected to an infected computer that has an Internet connection, it connects to a C&C server and deploys additional components and commands to the hidden storage. When it get inserted back into an air-gapped system, it runs the commands and gathers intelligence again.

Acoustic

When it comes to acoustic covert channels, a lot of research has been done. There are probably two reasons for this: a computer (the emitter) makes or can be driven to make sounds in several different ways and the receiver is usually a normal microphone.

Passive acoustic

This guy is very inconspicuous [Source: EndoAcustica Parabolic Mic]Computers make noise, a lot of noise. Printers make noise, keyboards make noise, the mouse, the cooling fans, even the capacitors on the motherboard emit ultrasonic noise. In 2004, Dmitri Asonov and Rakesh Agrawal used a neural network to analyse the sound produced by computer keyboards and keypads used on telephones and automated teller machines (ATMs) to recognize the keys being pressed.

Also in 2004, Adi Shamir, Eran Tromer and Daniel Genkin demonstrated that its possible to conduct timing attacks against a CPU performing cryptographic operations by analysing from ultrasonic noise emanating from capacitors and inductors on computer motherboards and implemented a successful attack on RSA on laptop running GnuPG.

Active acoustic

A malware dubbed BadBios was reportedly uncovered by security consultant Dragos Ruiu in 2010, which used high-pitched sounds inaudible to the human ear in order to communicate. The existence of this malware is disputed, but the alleged method of communications is feasible.

In 2013, Michael Hanspach and Michael Goetz used the computer speakers and microphones to construct a covert channel utilizing audio modulation/demodulation on the near ultrasonic frequency range (17kHz-20kHz) and demonstrated how a covert acoustical mesh network can be conceived via ultrasonic audio communications. Fansmitter is a malware that can acoustically exfiltrate data from air-gapped computers, even when audio hardware and speakers are not present, because it utilizes the noise emitted from the CPU and chassis fans. DiskFiltration is another software that is able to exfiltrate data but it uses acoustic signals emitted from the hard drive by manipulating the movements of the hard drive actuator, using seek operations so that it moves in specific ways, generating sound.

Light

Light can also be used for data exfiltration. The usual light emitting device on a computer (a.k.a. the monitor) can be the immediate choice but there are others, like the keyboard LEDs. Other equipment that have LEDs or displays might also be used for the purpose of implementing this kind of covert channels, such as printers or modems. On the input side, light reading sensors from smartphones or even scanners have been used to demonstrate how to send data to a compromised device.

Passive light

In 2002, M.G. Kuhn, et al., proved it was possible to reconstruct the CRT screen’s contents analysing the light intensity of the displays diffuse reflection off a wall. This is possible because the light intensity of the last few thousand pixels drawn by a CRT leaked a low-pass filtered version of the video signal. LCDs were not vulnerable to this particular attack but Backes, et al., showed that the contents of liquid crystal display (LCD) screens could also be reconstructed by analysing diffuse reflections off objects in the environment (e.g., teapots, eyeglasses,bottles, spoons, and a wine glass). With telescopic lenses, it was shown to work from 30 meters away.

Again in 2002, J. Loughry and D. A. Umphress demonstrated that the LED status indicators on data communication equipment are shown to carry a modulated optical signal that is significantly correlated with information being processed by the device. Many different sorts of devices, including modems and routers, were found to be vulnerable. It is possible for an eavesdropper that can measure the LEDs light intensity to infer the information being sent/received through these devices.

Active light

Blinking Scroll Lock

Hasan, et al., shown that is is possible for a mobile phone’s ambient light sensor (ALS; used for auto-brightness and other features) to register changes in light emitted by screens (LCD/TV) and proved that a low bit-rate exfiltration channel could be implemented with the screen as the emitter (e.x. a laptop screen) and a mobile phone with ALS present in many smartphones nowadays as a receiver.

J. Loughry and D. A. Umphress implemented software that transmits ASCII data by modulating the Caps Lock LED with serial data at 50 bits/s. They show that at a high enough rate, a regular user would not notice the blinking LED. Transmissions using infrared (IR) light were also researched at some point, but interest was lost since most modern computers no longer include IR hardware.

At the Black Hat Europe conference in 2014, Adi Shamir, Yuval Elovici and Moti Guri showed how a malware infected computer on an air-gapped network could receive and send attack commands through a multi-function printer’s scanner that the computer is connected to. To transmit data, an attacker would need to shine light, visible or IR, into the room where the scanner is and while a scan is in progress. The slightly different shades of white in the scanned document represent the binary code for the issued command.

Seismic

Seismic or vibrational communication is a process of exchanging information through mechanical vibrations. Under certain conditions, it’s possible to induce vibration through a computer speaker. Almost all phones and smartphones have the ability to produce seismic waves using the vibrator.

Passive seismic

Marquardt, et al., were able to demonstrate a side-channel attack to reconstruct the keystrokes typed on a keyboard located in close proximity (a couple of inches maximum) to an accelerometer-equipped cell phone. The keystrokes were detected using only the vibration and not the sound of the key being pressed.

At CanSecWest in 2009, researchers showed how they used a laser pointed at the back of a laptop to infer keystrokes. The keystrokes would cause the laptop to vibrate which they could detect with the laser listening device and then use techniques similar to those in speech recognition to determine what sentences were being typed.

Active seismic

Hasan, et al., devised a way to explore the low-frequency sounds from the speakers to induce vibrations in the surroundings. Note that this is not using sound per-se as a medium (although sound is a mechanical wave) but using sound to make something vibrate. The vibrations could then be picked up by an accelerometer. Systems with subwoofers make this even easier as they are able to produce louder, low-frequency sounds which result in stronger vibrations.

Deshotels demonstrated that Android devices, in contact with one another, could communicate using vibration signals lasting as little as 1 ms and the vibrations would be imperceptible to humans. Halevi and Saxena demonstrated that the mobile phone’s vibrations produced an acoustic signal which could be picked up by a regular microphone from up to three feet away, a mix between seismic and acoustic channels.

Magnetic

Digital compass app

It’s hard to find a smartphone these days that doesn’t have a compass. A chip with magnetometer capabilities is responsible for measuring the magnetic field and detecting the position of magnetic north. But it’s a sensor like any other we’ve seen, with a little imagination this too can be abused as a communication channel.

Hasan, et al. explored the hypothesis of a malware receiving commands via a magnetometer (for example, an electronic compass app). The signals to transmit to the device are modulated using a custom built electro-magnet to induce changes in the detected magnetic field of the magnetometer. They managed to prove error-free communication was possible over a distance of 3.5 inches, but a greater distance is likely possible with a stronger electromagnet. In any case, there are challenges in achieving large distances since a magnetic field’s strength is inversely proportional to the cube of the distance from the source.

Thermal

Thermal imaging

All electronic devices generate excess heat and require thermal management to improve reliability and prevent premature failure. Computers are no exception. This is usually done with fans and we’ve already seen how they can be abused to provide an exfiltration channel. Changes in temperature are shown to be an effective, albeit painfully slow, data channel.

Mirsky, et al., demonstrated how an Internet-connected air-conditioning system could be remotely controlled by an attacker to send commands to malware on an air-gapped system using a one way thermal covert channel. Mordechai Guri, Matan Monitz, Yisroel Mirski, Yuval Elovici created BitWhisper, a software able to bridge the air-gap between adjacent compromised computers (up to 40cm) by using their heat emissions and built-in thermal sensors to create a covert bidirectional communication channel (up to 8 bits per hour).

Electromagnetic

Maybe the most known covert channel is via radio-frequency (RF) and because of that it’s likely to be the most researched. Bell Labs originally noted this vulnerability back in WWII when Bell Telephone provided the military an encryption device called a 131-B2. They had one working in their laboratories when, by accident, someone noticed that each time the machine stepped, a spike would appear on an oscilloscope in a distant part of the lab. They studied these spikes more carefully and found out that they could read the plain text of the message being ciphered by the machine. This was probably one source of inspiration for the TEMPEST program.

Side-band electromagnetic radiation emissions are present in pretty much all electronic equipment, especially if it is unshielded.

Passive RF

The popular Van Eck phreaking, named after Dutch computer researcher Wim van Eck who publish a paper about it back in 1985, allows an eavesdropper to clone a CRT monitor’s contents by remotely detecting its electromagnetic (EM) emissions. In an unshielded CRT monitor tests were successfully conducted from a distance of 1km as well as a distance of 200m for a shielded monitor. Furthermore, in 2005 Kuhn demonstrated that LCD screens are also vulnerable to a similar attack.

Wireless keyboard sniffing is widely known but wired keyboard sniffing… not so much. Martin Vuagnoux and Sylvain Pasini demonstrated that the electromagnetic emanations from wired USB and PS/2 keyboards could be recorded and keystrokes decoded from up to 5m distance. The same guys that showed how they used a laser pointed at the back of a laptop to record motion and recover keys also devised a way to sniff characters from a PS/2 keyboard by monitoring the ground line in an outlet 50 feet away. Last year a team of researchers, including Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer, managed to monitor the EM leakage of a laptop on a specific frequency while the laptop was decrypting a ciphertext using elliptic curve encryption (ECC). The signal contained information about the operands used in the ECC operation, enough to recover the secret key.

Active RF

The video card leaks a lot of EM emissions and it turns out it can be manipulated to transmit in chosen frequencies. AirHopper is a software that turns a computer’s video card into an FM transmitter, which can be captured by a standard FM radio, even the ones that are built into a smartphone. William Entriken created a System Bus Radio — a C library that can make a computer emit radio waves even if the device doesn’t include any radio transmission hardware.

In 2015, Mordechai Guri, Assaf Kachlon, Ofer Hasson, Gabi Kedma, Yisroel Mirsky and Yuval Elovici managed to exfiltrate data from a computer over GSM by invoking specific memory-related instructions and utilizing the multi-channel memory architecture to amplify the transmission up to 30m. They used a basic low-end mobile phone with GSM network with modified firmware to receive the data. Last year, Mordechai Guri, Matan Monitz, Yuval Elovici disclosed a paper showing how a software can intentionally generate controlled electromagnetic emissions from the data bus of a USB 2.0/3.0 connector that can be detected with a SDR dongle.

Other Channels

The topic of air-gap covert channels is just fascinating. It keeps showing that sometimes reality can be even more interesting than a spy movie plot, with all those impossible gadgets. It speaks to the very essence of what hacking is all about, when you put together a seeming impossible problem, an incredible dose of imagination, and out of the box thinking to break and bend the rules and reach a working solution. To question everything, to accept no boundaries or limitations and to have an holistic view on what a system is and not what you’re told the system is, might very well be the key to finding other channels or methods to bridge the air-gap.

This article was not meant to feed the reader’s paranoia. Your computer can still be safe, just don’t go and plug the USB pen you found in the parking lot into your underground, acoustically isolated, randomly refrigerated, magnetic shielded, Faraday caged, turned off computer…

As a ham, the drawing of the guy with the Yagi antenna bugs me. To pick up signals from the target device, the Yagi, which is directional, should have its central axis pointing towards the signal source (LCD). It’s not going to pick up much from the target LCD when it’s pointing at the ceiling, as in the drawing.

I briefly worked in a building construct for a Russian ‘official business’ in Poland under Russian occupation (1949-1989). Double walls, double windows, outside window led glass etc. It was a building inside a bigger building :o

Infected with tiny evil spirits. Burn it. Or. Mute/disable every input/output that you aren’t using. Try a different set of speakers or headset. Fiddle with volume controls (if OS is low and speaker turned all the way up then try the opposite). Wrap in foil and connect to ground?

At a previous place of employment, we had a CP/M machine that would make faint noises as it did work, because the input to the amplifier for its speaker (it was an all-in-one unit with a built-in terminal that needed to be able to beep) wandered all over the board.

Because of this, you could kind of tell what it was up to. During a long crunch, you could sit there and read a book or something, keeping an ear out for the change that told you it was done.

We considered this feature so useful that when one of the engineers built his homebrew machine, he made certain the audio input wandered all over the board so that his machine would do the same thing.

Everything (so badly) wrong with that book (and pretty much any other discussion of the subject) is quite nicely illustrated by the relevant obligatory xkcd comic – I won’t even bother linking it, I’m sure we’re all thinking of the same one (“rubberhose cryptanalysis”)… If you think you’re in one of the situations to which that comic does not apply, you should also start seriously worrying about giant asteroids smashing into the Earth any second now – the chances are about the same…

Step-1: Signal acquisition. That’s where the concept of Near-Field vs. Far-Field matters (read up on TEMPEST as a start).

Step-2: Deconstruct modulation, framing, clock, error-correction etc. (this is fairly hard but not too bad for simple systems provided you have a reasonable Software Defined Radio that can handle your target).

Step-3: Once you crack Step-2, deconstruct the payload information (this is often much harder due to robust encryption, but you never know!).

Step-4, Deconstruct where the user data is going to/from. Now you’re sniffing/spoofing packets.

Step-5, Deconstruct what the data is being used for. If you get this far, there’s a good chance you can PWN the target’s host.

If you can obtain an exact duplicate of the system or device you’re getting data from it should be much simpler to do. You’d be able to get not just in the ballpark but with a short distance of home base – only needing minor adjustments to get the setup perfect.

There was a demonstration (which I can’t find now) of reading passwords with a video camera, without the keyboard or number pad in view. The technique relied on a precise dimensional model of the input device then used tracking of the user’s arm and hand motions.

Smartwatch gesture recording and playback. Strap a fancy motion detector to your wrist. Get some malware on it to look for GPS locations of ATMs (either from the watches own GPS or from a linked phone) then when the wearer is near an ATM, start recording the motion data to send to the bad guys. Could get even more sophisticated by waiting for a specific orientation that matches an upraised position to poke at the number pad, begin streaming motion data and look for a short burst of rapid and short movements to save. Got your PIN!

How to defend against motion capture hacks like these? Don’t waggle your whole arm about while poking buttons and keys with one finger. Try holding your arm and hand still and just moving your index finger to do the entry. Also, switch fingers at least once to create a large offset in the motion positions. In other words, deliberately create garbage data to obfuscate your input. Won’t help if the device/system itself is compromised but at least you won’t be giving it away to somebody with a camera over there somewhere.

Wow…..!, you just took me down memory lane, causing quite a TEMPEST to be stired up in my dusty old memories as a USAF communications and computer technologists. Quite the storm of memories emanating in this poor old brain. Thanks for a great article, just one word of precaution , Don’t let the cat out of the Faraday cage. Grat artible ….!

This is a big issue with aircraft avionics. “Bad guys” can use the emissions from aircraft avionics to track and “kill” an aircraft. I worked for a helicopter manufacturer, and we went to great lengths to ensure that there were no radiated signals from all the electronics aboard the aircraft.